On Sun, Aug 03, 2014 at 10:08:03AM +0200, Daniel Gollub wrote:
> 
> This proposed patch is not changing the existing sssd/pam_sss behavior
> if a domain in login is required or not. If the sssd
> option "use_fully_qualified_names" is false (default) then both will
> work. If set to true, the domain needs to be specified.
> 
> If the PAM service is using domains=emea.example,hq.example.com and
> someone tries to sneak in by authenticating with:
> [email protected] ... this will not work. The sssd pam responder
> code - with this patch applied - is intended to completely skip any
> other domain which is not set by the domains= argument.

My concern is this -- if we are going to harden the list of domains
that will be used for authentication (or identity operations),
it would be good to find a way to also make it possible for the
application using the PAM stack to find out which domain (and thus
which identity) sssd actually used. So for "login", was it
"[email protected]" or "[email protected]" that was used?

Do we have a way to return the information to the application?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to